Steps to take in the face of infection.
One question that shows up frequently in the Ask Leo! inbox is how to remove malware.
The scenarios differ, but the problem is the same: a machine has been infected with spyware, a virus, ransomware, or some other form of malware, and that machine’s owner is having a tough time getting rid of it. Often, anti-malware software has been installed that “should” have taken care of it before it got to this stage.
Hopefully, that’ll never be you.
Let’s review the steps I recommend for removing malware and reducing the chances it’ll happen again.
Removing malware safely
- Back up the infected machine for an additional safety net and later data recovery.
- Restore from backups taken prior to the infection if you can.
- Update your security software database and run full scans of your disks.
- Try additional anti-malware tools.
- Look for removal instructions specific to the malware you have, if possible.
- If unsuccessful, give up: back up, reformat, and reinstall everything from scratch.
- Prevention (and preparation in the form of a backup) is by far the easiest solution.
A word about prevention
If there’s one thing I would have you take away from this article, it would be this:
Prevention is less painful than the cure.
As we’ll see shortly, the steps to remove malware can be painful and time-consuming, and you run the risk of losing data. Knowing how to stay safe on the internet is much, much easier in comparison.
Let’s look at what to do when prevention has failed.
Help keep it going by becoming a Patron.
Back up
My strong recommendation is to start by taking a complete image backup of your system.
Why would you want to back up a system you know is infected with malware?
A backup taken now is an “it-can’t-get-any-worse-than-this” fallback. Some of the techniques we use to remove malware run the risk of breaking things and making the situation worse. With this backup at the ready, you can always restore and start over with nothing lost. It will also allow you to carefully restore data after some of our more drastic recovery steps.
Related
How to Back Up Windows
Don’t risk losing everything! I’ll show you how to back up Windows step by step, using free tools you already have. Protect your files, photos, and memories so you’re ready when, not if, disaster strikes.#30103
Restore a prior backup
If you’ve been taking regular backups, this is the most expedient step and can save a lot of time and energy.
Restore your machine completely from the most recent full system backup plus any incremental backups taken before the infection occurred. Except for learning from the experience, you’re done.
Unfortunately, most people don’t have this option available. Most people don’t begin backing up until after they’ve experienced data loss or a severe malware infection. One of the lessons they learn is that a recent backup can save them from almost any problem, including malware.
Update your anti-malware database
If you have anti-malware software installed, make sure it’s up to date. This includes more than just the software itself; the database of malware definitions must also be current.
Almost all anti-malware tools use databases of malware definitions. They change daily, if not more often. As a result, they must be updated regularly. If you’re using the built-in Windows Security program, the database gets updated along with Windows Update.
Most programs do this automatically, but if for some reason they don’t, the program will not “know” about the most recent forms of malware. Make sure your database is up to date so it recognizes the latest threats.
Related
How to Run a Full Scan Using Windows Security
Here's my step-by-step guide on how to run a complete malware scan using Windows 10 and 11's built-in Windows Security.#124848
Perform a full scan
Anti-malware tools regularly perform a “quick” or fast scan. That’s typically sufficient for day-to-day operations.
But not today.
Fire up your anti-malware tools and run a full/advanced/complete scan of your entire system drive. If you have a single tool, that might be one run; if you use multiple tools, then run a full scan with each. This may take some time, but let the tools do their job.
This also applies if your anti-malware automated scans have stopped working for some reason (that reason often being malware). If this full scan discovers something, it might be worth checking to make sure the security software is properly configured to still scan automatically.
Try another anti-malware tool
No anti-malware tool catches all malware.
I’ll say it again: there is no single tool that can catch every single piece of malware out there. None. Some catch more than others, but none of them catch everything.
So using additional reputable tools is a reasonable approach.
I recommend the free1 version of Malwarebytes as the first tool to use. It has a reputation for removing some nasties that other tools apparently miss. Once again, run a full scan.
Regardless of which tool you select, stick with reputable tools. When a machine is infected, some people tend to panic and download just about anything claiming to be an anti-malware tool. Don’t do that. There are many less-than-reputable individuals out there ready to take advantage of your panic.
Do some research before downloading anything, or you may make the problem worse instead of better.
Research specific removal instructions
If your anti-malware software tells you the name of the specific malware you’re dealing with, that’s good information, even if it can’t remove it.
Search for that malware, and you may find specific removal instructions at one or more of the major anti-malware vendor sites. These instructions can be somewhat technical and intimidating, so take your time to follow them precisely, or get a techie friend to help.
Those instructions often come with offers to remove the malware for a price. As long as it’s an option (in other words, the manual removal instructions are also provided), then it may be a viable alternative if the company is one you trust. On the other hand, if all you’re presented with is a promise and a price, move on.
Some sites offer free tools you can download to remove specific malware. Once again, use caution. When the tools are from reputable sources, they can be a quick way to avoid some hassle. When the tools are really just more malware in disguise, they’ll only make your problems worse.
If you download anything to help address the problem, make sure it comes from an organization you know and trust.
Related
How Do I Reformat and Reinstall Windows 11?
To reformat and reinstall is considered the "nuclear option" when it comes to dealing with Windows problems (or just cleaning up).#169469
Surrender, reformat, and reinstall
There is only one sure-fire, 100% guaranteed way to remove any virus.
In fact, it’s the only way to know you’ve removed a virus. Once infected, none of the steps above are guaranteed to remove malware, even if they report that your machine is clean. Once infected, all bets are off. An infection can fool anti-malware software into thinking everything is fine even when it’s not.
There’s just no way to know.
The only way to be absolutely positive you’ve removed all viruses is:
- Back up. If you haven’t already, back up the entire system. You’ll use this to restore your data after we’re done.
- Reformat. Reformatting erases the entire hard disk of everything: the operating system, your programs, your data, and most important of all, all malware. This may be part of the next step, as Windows setup often offers to reformat the hard drive before installing.
- Reinstall. Yes, reinstall everything from scratch. Reinstall the operating system from your original installation media or download. Reinstall applications from their original media or downloads saved elsewhere.
- Update. Update everything. Make sure to bring Windows completely up to date for the most current protection against all known and patched vulnerabilities. Applications, particularly your anti-malware tools, should be updated as well.
- Restore. Restore your data by carefully copying it from the backups you created when we started. By “carefully,” I mean take care to only copy the data you need so as not to copy back the malware. There is no guarantee you won’t copy the malware back, so copy only what’s absolutely needed, and make sure your anti-malware tools are running and up to date.
- Learn. Take stock of how this happened, what you might have done to get infected in the first place, and what might have helped you recover more efficiently. Schedule a frequent system backup.
Do this
By now, I hope you can see why prevention is so much less painful than the cure. Taking a few extra steps to keep things up to date, avoiding those cute virus-laden downloads and attachments, and learning how to stay safe is much easier than the recovery process I just outlined.
And having backups can make the recovery process as close to painless as possible if you do get infected.
It’s not your fault. But it is your responsibility to learn how to stay safe when you use your computer.
In an ideal world, we’d never have to worry about malware or bad guys fooling us into doing things we shouldn’t. But you already know this isn’t an ideal world; software isn’t perfect and never will be. And there will always be someone out to scam the vulnerable.
Even though it’s not your fault, you need to get educated and take the steps needed to stay safe. Right or wrong, it’s a practical reality.
Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
Footnotes & References
1: Yes, there is a truly free version. See the Malwarebytes article for details.
“Give up: backup, reformat, and reinstall everything from scratch.”
That tends to sum up my mindset and is probably the all-around best choice anyways as it’s possible it might take up less of ones time vs messing with with a computer loaded up with junk running all kinds of software in a attempt to remove it and, not only that, but wiping the drive and installing the OS from scratch will pretty much guarantee it’s in optimal running order and free of junk/viruses etc. it’s simply the best all around option.
because personally if someone even has a chance they were infected with random stuff of that sort, I simply would not trust the computer again (at least not doing anything important on it) until the OS is clean installed (i.e. wipe drive and install the OS from scratch).
or if I got a hold of a used computer… the first thing I would do is wipe the drive, probably with ‘secure erase’ (or maybe ‘dban’) for good measure to make sure whatever was previously on the computer is permanently gone and not recoverable, then install the OS from scratch. then maybe update BIOS if a newer one is available etc.
————————————————-
Drew Peacock said, “Another thing is how are users supposed to protect themselves from malware that modifies reputable software as happened with CCleaner and Linux Mint a while back? At least with Linux Mint users could have checked checksums, but that option wasn’t available to the CCleaner users (assuming they’d know what a checksum is or how to check one in the first place).”
Yeah, but in cases like these with CCleaner the user probably can’t do much. but that’s why I am of the mindset not to run any unnecessary software on ones computer (CCleaner can be nice but it’s not really needed) as it helps limit the attack surface.
even with browser extensions the same principle applies in that I would say the less the better not only for browser responsiveness but it lowers the risk of being compromised.
Where you say “Reformatting erases the entire hard disk of everything” – true, if doing Full Format. Often “Quick Format” is checked, erasing only the File Table. The data remains, and be recovered by malware.
This is very true, in theory. But I have yet to hear of malware that examines hard disk free space. Normally full format (or free space wiping) is more about maintaining privacy than it is about dealing with malware.
I agree Leo.
One issue with re-installs: sometimes you can’t. I tried to do a bare metal reinstall of my Windows 7 laptop, including the Adobe Acrobat full version that previously worked fine with Windows 7. (This was before Windows 7 reached end-of-life.) However, the validation server for that version of Acrobat was no longer in operation and, even though I had properly registered the software with Adobe when I bought it, I could reinstall it but not activate it.
Check out on the Adobe website for their support page. If you’ve paid for the license, there must be a way to get human support. I once did that with Microsoft when I changed my HDD and Windows was invalidated. They manually activated it for me.
When setting up our new computer we took an early (Macrium) system image and again when everything was installed, but not used, as you have recommended previously.
Could this second image be used in this instance instead of reinstalling everything from scratch?
Yup. Perfect use for it.
Yes, but do a system image backup of your computer before restoring so you don’t lose any data.
I haven’t had a lot of experience with malware other than a few PUPs that affected my browser non-seriously. In 40 years of PC use, I’ve only had 2 real malware infections. Both times, I restored from an earlier backup and everything was running well in an hour or two.
I can’t stress enough the necessity to back up. It is a silver bullet against malware and other disk failures. Obviously, prevention has played a great part as 2 infections in 40 years is probably not bad.
wow great article, heres a tip: ask an ai for the chrome or edge extension link to mcafee web advisor- doents slow down yr device, no account require dno unwanted offers
I avoid McAfee products because of their overly aggressive advertising and their installation of PUPs(Unwanted software, AKA foistware).
I know this is a stupid question but how do I reboot windows fro the setup disk?
It’s not stupid at all, but it’s also not something that has a single answer. I’ll point you here: https://askleo.com/how-do-i-boot-from-a-usb-thumbdrive/